b'Report No. D2007-056     February 7, 2007\n\n\n\n\n   Integrated Accounts Payable System\n  Compliance with the Defense Business\n   Transformation System Certification\n                 Criteria\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nCCA                   Clinger-Cohen Act\nCIO                   Chief Information Officer\nCONOPS                Concept of Operations\nDAA                   Designated Approving Authority\nDBSMC                 Defense Business Systems Management Committee\nDEAR                  Database Enhancement and Restructure\nDFAS                  Defense Finance and Accounting Service\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nESG                   Executive Steering Group\nFFMIA                 Federal Financial Management Improvement Act\nGAFS                  General Accounting and Finance System\nIAPS                  Integrated Accounts Payable System\nIRB                   Investment Review Board\nIRWG                  Investment Review Working Group\nNDAA                  National Defense Authorization Act\nOSD                   Office of the Secretary of Defense\nSSAA                  System Security Authorization Agreement\n\x0c\x0c                     Department of Defense Office of Inspector General\nReport No. 2007-056                                                                       February 7, 2007\n      (Project No. D2006-D000FB-0164.000)\n\n                    Integrated Accounts Payable System Compliance\n                       with the Defense Business Transformation\n                              System Certification Criteria\n\n                                          Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who prepare, review,\ncertify, and approve Defense business system investments will find this report of interest.\nIt describes the Defense Finance and Accounting Service (DFAS) policies and\nprocedures used to certify and approve Defense business system modernizations under\n$1 million. Specifically, this report discusses the procedures used to approve the\nFY 2006 modernization efforts for the Integrated Accounts Payable System (IAPS).\n\nBackground. The Deputy Under Secretary of Defense (Business Transformation)\nrequested that we review DoD Component compliance with the Defense Business\nTransformation System Certification Criteria. This report is one in a series and discusses\nthe compliance of IAPS with the Defense Business Transformation System Certification\nCriteria. Subsequent reports will discuss other business systems compliance.\n\nThe \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 2005\xe2\x80\x9d (NDAA) states that\nfunds appropriated for Defense business system modernizations in excess of $1 million\nmay not be obligated unless certified by the Designated Approving Authority and\napproved by the Defense Business Systems Management Committee. To comply with\nthe NDAA, the Defense Business Systems Management Committee issued the\nInvestment Review Board Concept of Operations. The Concepts of Operations provides\nguidance on certifying Defense business system investments in excess of $1 million,\nwhich require an Office of the Secretary of Defense-level review and approval. Defense\nbusiness system investments under $1 million do not require an Office of the Secretary of\nDefense-level review and approval, unless designated as a special interest program. \xe2\x88\x97\nInvestments under $1 million are subjected to the Component-level review and approval\nprocess. The Component-level investment review processes should be consistent with\nthe NDAA and the Concept of Operations.\nIAPS is a DFAS automated system. It supports the payment of commercial vendors and\nprovides support for standard Electronic Data Interchange transactions, thus allowing full\nsupport for DoD and electronic commerce initiatives.\n\nResults. DFAS did not implement sufficient controls to ensure that the modernization\ndecision for IAPS was based on adequate documentation. As a result, the DFAS\nExecutive Steering Group approved the modernization for $759,000 based on\nunsupported information. Without adequate standard procedures and controls for\n\n\xe2\x88\x97\n    Special interest is based on technological complexity, Congressional interest, or program criticality to the\n    achievement of a capability or set of capabilities. Special interest is also based on whether the program is\n    a joint program or whether the resources committed to the program are substantial.\n\x0cmodernizations under $1 million, the DFAS Executive Steering Group may continue to\napprove procurements that are not adequately supported and reviewed. Therefore, the\nDFAS Executive Steering Group needs to take corrective action to ensure that detailed\ninstructions are developed, supporting documentation is maintained, and review\nprocedures are developed and followed (see the Finding section of the report for the\ndetailed recommendations).\n\nManagement Actions. During the audit, the Defense Finance and Accounting Service\nInvestment Review Working Group acknowledged the need to improve their investment\nreview process. They stated that they have begun working to refine their investment\nreview process by refining their validation process and developing FY 2007 guidance and\ninstructions.\n\nManagement Comments and Audit Response. The Director, Information and\nTechnology responding for the Director, DFAS partially agreed with the need for better\ndocumentation and did not agree with the conclusion that the IAPS modernization was\nbased on unsupported information. The Director stated that the 2005 NDAA does not\ndirect Investment Review Boards to require Clinger-Cohen Act or Federal Financial\nManagement Improvement Act compliance. In addition, the CCA comments in the\nreport note items that the audit team did not review rather than focusing on the\nInvestment Review Working Group\xe2\x80\x99s examination and rationale. The Director disagreed\nwith the conclusion that the Database Enhancement and Restructure modernization was\nnot supported because an updated System Security Authorization Agreement was not in\nplace. However, the Director indicated that the System Security Authorization\nAgreement was updated with information about the Database Enhancement and\nRestructure modernization in September 2006. We reviewed the DFAS Investment\nReview Process procedures and found that system managers were required to certify that\ntheir systems were aligned with applicable policies, laws, and regulations. Specifically,\nsystem managers were required to indicate if their system was compliant with the\nClinger-Cohen Act, the DoD Information Technology Security Certification and\nAccreditation Process, and the Federal Financial Management Improvement Act.\nRegarding the Director\xe2\x80\x99s comments on the audit team\xe2\x80\x99s review of Clinger-Cohen Act\ncompliance, Investment Review Working Group officials stated that they created a\nrequirements table for reviewing IAPS compliance with the Clinger-Cohen Act. We\nconsidered the Investment Review Working Group examination and rationale in auditing\nthe Investment Review Board process by examining the contents of the table. As\nindicated in this report, the Investment Review Working Group referenced six documents\nused to validate IAPS compliance with the Clinger-Cohen Act. However, three of the six\ndocuments were either not available, not required in the certification package, or did not\ncontain updated information.\n\nThe Director, Information and Technology concurred with our recommendations and\nstated that for FY 2007, DFAS will require that all modernization efforts have the same\ndocumentation and level of review, regardless of whether the investment amount is under\nor over $1 million. In addition, DFAS established a system document repository,\nprovided mandatory training for system managers, and published standard review\ncriteria. A discussion of management comments is in the Finding section of the report\nand the complete text is in the Management Comments section.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                       i\n\nBackground                                                              1\n\nObjectives                                                              3\n\nReview of Internal Controls                                             4\n\nFinding\n     DFAS Investment Review Process for Investments Under $1 Million   5\n\n\nAppendixes\n     A. Scope and Methodology                                          15\n     B. Report Distribution                                            17\n\nManagement Comments\n     Defense Finance and Accounting Service                            19\n\x0cBackground\n    The Deputy Under Secretary of Defense (Business Transformation) requested that\n    we review DoD Component compliance with the Defense Business\n    Transformation System Certification Criteria. This report is one in a series and\n    discusses the compliance of the Integrated Accounts Payable System with the\n    Defense Business Transformation System Certification Criteria. Subsequent\n    reports will discuss other business systems compliance.\n\n    National Defense Authorization Act. On October 28, 2004, Congress passed\n    Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act for\n    Fiscal Year 2005 (NDAA).\xe2\x80\x9d Section 2222 of the NDAA states that funds\n    appropriated for Defense business modernizations in excess of $1million may not\n    be obligated unless the Designated Approving Authority (DAA) certifies the\n    modernization to the Defense Business Systems Management Committee\n    (DBSMC), and the DBSMC approves the certification. The NDAA defines\n    business system modernizations as, \xe2\x80\x9cthe acquisition or development of a new\n    defense business system or any significant modification or enhancement of an\n    existing system.\xe2\x80\x9d In addition, the NDAA required the Secretary of Defense to\n    delegate the review, approval, and oversight of the Defense business systems to\n    the following four Office of the Secretary of Defense (OSD)-level approval\n    authorities:\n\n           \xe2\x80\xa2   Under Secretary of Defense for Acquisition, Technology, and\n               Logistics;\n\n           \xe2\x80\xa2   Under Secretary of Defense (Comptroller)/Chief Financial Officer;\n\n           \xe2\x80\xa2   Under Secretary of Defense for Personnel and Readiness; and\n\n           \xe2\x80\xa2   Assistant Secretary of Defense for Networks and Information\n               Integration and Chief Information Officer of the Department of\n               Defense.\n    Each approving authority is required to establish an investment review process\n    that periodically (at least annually) reviews all business system investments. In\n    addition, the process should include an Investment Review Board (IRB) review\n    and approval for each Defense business system.\n\n    Section 186 of the NDAA directed the Secretary of Defense to establish the\n    DBSMC. The DBSMC is responsible for coordinating Defense business system\n    modernization initiatives to maximize benefits and minimize costs, and ensure\n    that funds are obligated for Defense business systems in a manner consistent with\n    section 2222 of the NDAA.\n\n    Investment Review Boards Concept of Operations. On June 2, 2005, the\n    DBSMC issued the Investment Review Board Concept of Operations (CONOPS).\n    The CONOPS integrates policies, specifies responsibilities, and establishes\n    processes to comply with section 2222 of the NDAA. It outlines the investment\n\n\n\n                                         1\n\x0c           review process that all IRBs, Components, chief information officers (CIO), and\n           program managers should follow if they have responsibility for business system\n           investments.\n\n           The CONOPS introduces a structured investment review and certification process\n           that includes determining review and certification requirements, Component\n           review, and OSD-level review and certification. The CONOPS identifies three\n           levels of certification review or tiers. Tier certification processes are established\n           based on the program scope, cost, and complexity. The tier process also provides\n           flexibility if the program has been designated as a special interest program. 1 The\n           CONOPS defines the following tier certification processes.\n\n           \xe2\x80\xa2    Tier 1 IRB: certification processes that apply to Major Automated\n                Information Systems or programs.\n\n           \xe2\x80\xa2    Tier 2 IRB: certification processes that apply to modernizations and\n                investments greater than $10 million to less than the Major Automated\n                Information System threshold, 2 or those designated as special interest.\n\n           \xe2\x80\xa2    Tier 3 IRB: certification processes that apply to those modernizations and\n                investments greater than $1 million to less than $10 million.\n\n           The CONOPS provides guidance on preparing, reviewing, and certifying Defense\n           business system investments in excess of $1 million, which require an OSD-level\n           review. Defense business system investments under $1 million do not require an\n           OSD-level review and approval, unless designated as a special interest program.\n           Instead, investments under $1 million require a Component-level review and\n           approval process. 3 The CONOPS requires Components to establish their own\n           governance structures for investment review to support their transformation\n           initiatives. The Component investment review processes should be consistent\n           with the NDAA and the CONOPS. Other than Component-developed procedures,\n           there are no criteria for reviewing and approving investments under $1 million.\n\n           Defense Finance and Accounting Service Investment Review Process. The\n           Defense Finance and Accounting Service (DFAS) developed a Component-level\n           review and approval process. For FY 2006 modernization investments under\n           $1 million, DFAS developed and used workbooks. The workbooks were modeled\n           after the standard set of IRB criteria outlined in the CONOPS. The workbooks\n           contained system-specific questions. System managers were required to certify if\n           their automated systems were aligned with applicable policies, laws, and\n           regulations. Specifically, system managers were required to indicate if their\n           system was compliant with the Clinger-Cohen Act (CCA), DoD Information\n           Technology Security Certification and Accreditation Process (DITSCAP), and the\n           Federal Financial Management Improvement Act (FFMIA).\n\n1\n    Special interest is based on technological complexity, Congressional interest, or program criticality to the\n    achievement of a capability or set of capabilities. Special interest is also based on whether the program is\n    a joint program or whether the resources committed to the program are substantial.\n2\n    The current Major Automated Information System threshold is $32 million.\n3\n    The process is referred to as a tier 4 process.\n\n\n\n                                                        2\n\x0c    Clinger-Cohen Act. The CCA of 1996 establishes a top-down restructuring of\n    Federal information technology acquisition programs. The goal of the CCA is to\n    improve the acquisition and management of Federal information technology\n    programs. The CCA requires the establishment of an efficient and effective\n    information technology program for the Federal Government.\n\n    DoD Information Technology Security Certification and Accreditation\n    Process. The DITSCAP establishes a standard Department-wide process, set of\n    activities, general tasks, and management structure to certify and accredit\n    information systems and maintain the information assurance and security posture\n    of the Defense information infrastructure throughout the life cycle of each system.\n    The accreditation process is a formal declaration by the DAA that an information\n    system is approved to operate in a particular security mode using a prescribed set\n    of safeguards at an acceptable level of risk.\n\n    Federal Financial Management Improvement Act. The FFMIA was created in\n    1996 to ensure consistent accounting by an agency from one fiscal year to the\n    next. FFMIA also provides uniform accounting standards throughout the Federal\n    Government. Federal financial data, including the full costs of Federal programs\n    and activities, are required so that programs and activities can be considered\n    based on their full costs and merits.\n\n    Integrated Accounts Payable System. For FY 2006, a workbook was\n    completed for a $759,000 modernization to the Integrated Accounts Payable\n    System (IAPS). IAPS is a DFAS automated system. IAPS supports the payment\n    of commercial vendors conducting business with the Air Force, Air National\n    Guard, National Geospatial Intelligence Agency, and the Defense Security\n    Service. The system computes accounts payable due dates, payment amounts,\n    and interest payments. IAPS processes commitment transactions electronically to\n    the General Accounting and Finance System (GAFS), and payment authorization\n    data to the Central Disbursing System. In addition, IAPS provides support for\n    standard DFAS Electronic Data Interchange transactions, allowing full support\n    for DoD and DFAS electronic commerce initiatives such as Wide-Area\n    Workflow, Web Invoicing System, the Government Purchase Card Program, and\n    PowerTrack.\n\n\nObjectives\n    Our overall audit objective was to determine whether IAPS was properly certified\n    and accredited in accordance with the Defense Business Transformation System\n    Certification Criteria. Specifically, we determined if IAPS complied with the\n    Investment Review Process. Although an announced objective, we did not review\n    the management control program as it related to the overall objective because a\n    management control program has not been developed for the Investment Review\n    Process. See Appendix A for a discussion of the scope and methodology.\n\n\n\n\n                                         3\n\x0cReview of Internal Controls\n     DFAS did not implement sufficient controls to ensure that the modernization\n     decision for IAPS was based on adequate documentation. As a result, the DFAS\n     Executive Steering Group approved the modernization for $759,000 based on\n     unsupported information. Without adequate standard procedures and controls for\n     modernizations under $1 million, the DFAS Executive Steering Group may\n     continue to approve procurements that are not adequately supported and\n     reviewed. See the Finding section of the report for a complete discussion of our\n     review.\n\n\n\n\n                                         4\n\x0c           DFAS Investment Review Process for\n           Investments Under $1 Million\n           DFAS did not implement sufficient controls to ensure that the\n           modernization decision for IAPS was based on adequate documentation.\n           This occurred because:\n\n           \xe2\x80\xa2   supporting documentation was not always maintained or current;\n\n           \xe2\x80\xa2   the DFAS Investment Review Working Group (IRWG) did not\n               provide adequate guidance for the IAPS system manager on how to\n               complete the IRB workbook; and\n           \xe2\x80\xa2   the IRWG did not provide adequate review procedures for the IRB\n               workbook.\n\n           As a result, the DFAS Executive Steering Group (ESG) approved the\n           IAPS modernization for $759,000 based on unsupported information.\n           Without adequate standard procedures and controls for modernizations\n           under $1 million, DFAS may continue to approve procurements that are\n           not adequately supported and reviewed.\n\n\nDFAS Investment Review Process\n    On September 2, 2005, DFAS established their own investment review process\n    and governance structure to support Component transformation initiatives and to\n    comply with the CONOPS. DFAS designated the CIO as the headquarters-level\n    authority that is accountable for business system investments. The CIO acts as\n    the Pre-Certification Authority for business system modernizations or\n    enhancements under $1 million. The CIO certifies and submits investment\n    proposals to the ESG.\n\n    DFAS Executive Steering Group. The ESG is the agency\xe2\x80\x99s primary,\n    executive-level, decision-making body that reports to the Director of DFAS.\n    Among many other responsibilities, the ESG oversees the DFAS portfolio\n    management initiatives. In doing so, the ESG serves as the Component-level IRB\n    for DFAS. They review and approve investment proposals based on decision\n    criteria such as the CONOPS and internal DFAS policies and procedures.\n\n    DFAS Investment Review Working Group. The ESG established the DFAS\n    Information Technology IRWG to conduct due diligence reviews and provide\n    input on information technology portfolio and investment issues to the ESG. It is\n    chaired by the Deputy CIO, and composed of a representative from each DFAS\n    directorate or business line. The IRWG coordinates and resolves investment\n\n\n\n\n                                        5\n\x0c           issues that arise in the Portfolio Management Processes. 4 They also recommend\n           approval of investment proposals to the ESG.\n\n           DFAS IRB Process for Investments Under $1 Million. The IRWG assists in\n           overseeing the Investment Review Process. Prior to obligating funds for\n           modernizations and enhancements under $1 million, DFAS required that system\n           managers complete an IRB workbook providing current system information. The\n           IRWG pre-populated the workbooks to support system managers in meeting\n           review requirements. System managers were required to complete the workbook\n           by answering system-related questions and providing supplemental documents\n           such as architecture diagrams. The system managers were instructed to submit\n           the required materials to the IRWG through the DFAS ePortal. 5 The workbooks\n           and supplemental material were reviewed by the IRWG. If the investment\n           proposals were satisfactory, the IRWG recommended certification to the CIO.\n           The CIO would then certify and recommend approval of the investment proposal\n           to the ESG. See the following diagram for the DFAS Investment Review Process\n           for investments under $1 million.\n\n\n\n\n           DFAS IRB Process for Investments Under $1 Million\n\n           FY 2006 Modernization. During FY 2006, DFAS requested $759,000 in\n           funding to complete final systems acceptance testing and implement a major\n           database restructure for IAPS known as the Database Enhancement and\n           Restructure (DEAR). The DEAR modernization would allow IAPS to support\n           electronic commerce initiatives and add functionality to support electronic\n           interfaces.\n\n\n4\n    Portfolio Management is part of the DFAS governance process for information technology investment\n    management and review.\n5\n    The DFAS ePortal is a web-based tool that contains IRWG guidance, templates, meeting minutes,\n    memorandums, and folders for submitting system documentation.\n\n\n\n                                                     6\n\x0c    The DEAR modernization would restructure the IAPS database so that the\n    contract line item number and accounting classification reference number could\n    be cross-referenced. Specifically, DEAR would allow for full or partial receipt\n    and acceptance of goods and services by line item. It would also provide the\n    capability to automatically match invoices to obligations and receiving reports by\n    document and line item and provide for two-way matching (obligation and\n    invoice) and three-way matching (obligation, receiving report, and receipt of\n    invoice). Additionally, DEAR would expand the IAPS database to support a\n    thirty-position invoice number data field.\n\n    IAPS would be modified to support GAFS fiscal year-end conversion by\n    changing accounting records to prior-year status to maintain agreement with\n    GAFS. The fiscal year-end conversion is scheduled immediately after the DEAR\n    modernization achieves initial operational capability.\n\n\nFY 2006 Integrated Accounts Payable System Workbook\n    DFAS did not implement sufficient controls to ensure that the modernization\n    decision for IAPS was based on adequate documentation. Specifically, the\n    workbook responses to CCA, DITSCAP, and FFMIA compliance questions were\n    not adequately supported.\n\n    Clinger-Cohen Act. The IRB workbook indicated that IAPS was compliant with\n    CCA. However, we could not sufficiently validate whether IAPS was compliant\n    with CCA because of the lack of supporting documentation.\n\n    According to IRWG officials, they created a requirements table for reviewing\n    IAPS compliance with CCA similar to the table depicted in DoD Instruction\n    5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d May 12, 2003. The table\n    in the instruction identifies requirements to be used to help determine whether a\n    system is CCA compliant. Of the ten requirements on the table, four were not\n    applicable to IAPS. The IRWG explained that these were not applicable because\n    IAPS pre-dates the CCA and no modification or event has mandated a CCA\n    compliance review until the current DEAR modernization.\n\n    In addition, the IRWG referenced IAPS documents that support the remaining six\n    requirements. These documents were also used to validate IAPS compliance with\n    the CCA. These documents were:\n\n        \xe2\x80\xa2   IRB workbook,\n\n        \xe2\x80\xa2   Dashboard,\n\n        \xe2\x80\xa2   Economic Viability worksheet,\n\n        \xe2\x80\xa2   DEAR modernization release project schedule,\n\n        \xe2\x80\xa2   Business Enterprise Architecture worksheet, and\n\n\n\n                                         7\n\x0c    \xe2\x80\xa2   System Security Authorization Agreement (SSAA).\n\nThree of the six documents referenced were either not available, not required to\nbe included in the IAPS certification package, or did not contain updated\ninformation. Specifically, the Economic Viability worksheet and the DEAR\nmodernization release project schedule were not provided to the audit team for\nreview. Although the IRWG referenced the Economic Viability worksheet as\nsupporting program documentation, the IRWG had already informed us that the\neconomic viability analysis was not required in the certification package for\nmodernizations and enhancements under $1 million. In addition, the SSAA did\nnot contain updated information to reflect accepted risks.\n\nAccording to the CCA of 1996, the executive agency is responsible for designing\nand implementing a process for maximizing the value and assessing and\nmanaging the risks of the information technology acquisitions of the agency.\nSpecifically, the process should provide for the:\n\n    \xe2\x80\xa2   selection of information technology investments,\n\n    \xe2\x80\xa2   management of such investments,\n\n    \xe2\x80\xa2   evaluation of the results of such investments, and\n\n    \xe2\x80\xa2   minimum criteria for considering undertaking a particular investment.\n\nAlthough DFAS is working to refine the CCA compliance and validation process,\nIAPS compliance with CCA for FY 2006 is not sufficiently validated and remains\nunsupported.\n\nDoD Information Technology Security Certification and Accreditation\nProcess. The IRB workbook indicated that IAPS was compliant with DITSCAP.\nThe response was unsupported because the SSAA that was provided as supporting\ndocumentation was not updated. The DFAS DAA signed the SSAA and granted\nIAPS an Authority-to-Operate on September 5, 2003. The DFAS DAA accepted\nthe high risk that IAPS was under a complete re-design to support the agency\xe2\x80\x99s\nelectronic data exchange efforts. They also acknowledged that the ability of\nIAPS to field software changes to meet the agency\xe2\x80\x99s goals for electronic data\nexchange in a timely manner may be questionable. Based on the signed SSAA,\nthe DFAS DAA stated the DEAR modernization was on schedule, and would be\nfielded in April 2004. However, during our site visit in May 2006, the DEAR\nmodernization had not been implemented. In addition, the SSAA was not\nupdated to reflect the accepted residual risk despite the change in the original\nsecurity posture accepted by the DFAS DAA.\n\nDITSCAP requires recertification every 3 years, or whenever changes occur to\nthe mission, software, hardware configuration, or operating environment that are\nsignificant and affect the original security posture accepted by the DAA. In\naddition, DoD 8510.1-M, \xe2\x80\x9cDITSCAP Application Manual\xe2\x80\x9d states that post\naccreditation activities will include ongoing maintenance of the SSAA, system\noperations, security operations, configuration management, and compliance\nvalidation. The DITSCAP Application Manual also states that site operations\n\n\n                                     8\n\x0cstaff and the Information Systems Security Officer are responsible for\nmaintaining an acceptable level of residual risk. This is achieved by addressing\nsecurity considerations when changes are made to either the information system\nbaseline or the baseline of the computing environment.\n\nThe responses to the DITSCAP question were unsupported because an updated\nSSAA was not in place when the workbook was submitted to the ESG for\napproval.\n\nFederal Financial Management Improvement Act. The IRB workbook\nindicated that IAPS was compliant with FFMIA. However, IAPS will not be fully\ncompliant with FFMIA until the DEAR modernization is implemented in\nFY 2006.\n\nThe FFMIA requires each agency to implement and maintain financial systems\nthat comply with Federal financial management system requirements, applicable\nFederal accounting standards, and the United States General Ledger at the\ntransaction level. In addition, FFMIA requires audits to report whether the\nagency financial management systems comply with the requirements of the Act.\n\nThe FY 2005 DoD Performance Assessment Report, November 12, 2005, did not\nindicate DoD-wide FFMIA compliance. The report states,\n\n       Specifically, DoD acknowledged that many of its critical financial\n       management and feeder systems did not comply substantially with\n       Federal financial management systems requirements, Federal\n       accounting standards, and the U.S. Government Standard General\n       Ledger at the transaction level as of September 30, 2005. In an attempt\n       to remedy these longstanding financial management systems\n       deficiencies, DoD is developing a DoD-Wide Business Enterprise\n       Architecture. Until the architecture is fully developed and\n       implemented, DoD will continue to be unable to fully comply with the\n       statutory reporting requirements.\n\nDFAS uses DFAS 7900.4G, \xe2\x80\x9cA Guide to Federal Requirements for Financial\nManagement Systems,\xe2\x80\x9d November 2004, to assess compliance with FFMIA.\nKnown as the Blue Book, it serves as a guide for system managers to use in\ndetermining whether their systems are FFMIA compliant. The Blue Book is\norganized by major functional areas including Accounts Payable. The IAPS\nsystem manager completed a Blue Book self-assessment indicating that the\nFY 2006 DEAR modernization would allow IAPS to:\n   \xe2\x80\xa2   support the full and partial receipt of services by line item,\n\n   \xe2\x80\xa2   automatically match invoices to obligations and receiving reports by\n       document and line item, and\n\n   \xe2\x80\xa2   expand the database to support a 30-position invoice number.\n\nThe IAPS system manager answered in the workbook that IAPS is FFMIA\ncompliant. However, the system manager acknowledged in his Blue Book\n\n\n                                         9\n\x0c    self-assessment that IAPS was not fully compliant with FFMIA. In addition, the\n    IRWG did not seek or require documentation supporting the IAPS FFMIA\n    compliance certification.\n\n    Therefore, system managers need to maintain supporting documentation that\n    supports their responses to the IRB workbook questions. System managers also\n    need to ensure that the supporting documentation is current and provides the best\n    assurance that their responses are valid. This will ensure that responses to CCA,\n    DITSCAP, and FFMIA compliance questions are accurate and fully supported.\n\n\nAdequacy of Guidance and Review Procedures\n    The IRWG did not provide adequate guidance to the IAPS system manager on\n    how to complete the IAPS IRB workbook. In addition, the IRWG did not provide\n    adequate review procedures for the IRB workbook.\n\n    IRB Workbook Instructions. The IRB workbook instructions provided to the\n    IAPS system manager did not adequately describe the steps that he should follow\n    to complete the workbook. DFAS included instructions in the IRB workbook for\n    IAPS as of August 29, 2005. The instructions have four steps for the system\n    manager to follow. The four steps identified in the instructions are as follows:\n\n           \xe2\x80\xa2   complete all worksheets in the workbook for your system;\n\n           \xe2\x80\xa2   do not rename the workbook file;\n\n           \xe2\x80\xa2   submit the completed workbook to your business line\xe2\x80\x99s portfolio\n               manager for review; and\n\n           \xe2\x80\xa2   submit these three architecture exhibits with your workbook: All\n               View-1, Technical Standards View-1, and Operational View-5.\n    The instructions do not clearly state how the system managers should complete\n    the workbook and do not identify criteria or documentation that the system\n    managers should reference or maintain in order to validate their IRB workbook\n    responses.\n\n    Instructions on the ePortal. In addition to the instructions included in the\n    workbook, the IRWG posted additional instructions for completing the IRB\n    workbooks to the ePortal. The ePortal instructions state that the IRWG would\n    provide written guidance for project managers and system managers on how to\n    complete the workbooks.\n\n    The ePortal instructions outlined similar steps to the ones included in the IRB\n    workbook. However, these instructions, as written, do not adequately outline the\n    necessary steps a system manager must follow to ensure that the IRB workbook is\n    complete and that responses in the workbook are valid.\n\n\n\n\n                                        10\n\x0cThe IRWG needs to develop and provide detailed instructions to the system\nmanagers on how to complete the IRB workbooks. These instructions should\nclearly state each step that the system managers should follow when completing\nthe IRB workbooks. The instructions should also identify the supporting\ndocumentation that system managers should use and maintain when determining\nthe responses to the IRB workbook questions.\n\nWorkbook Review Procedures. The IRWG review procedures were inadequate\nto detect unsupported responses to IRB workbook questions. For example, the\n\xe2\x80\x9cDFAS Under $1 million Review Procedures,\xe2\x80\x9d as of August 19, 2005, had the\nfollowing steps.\n\n   \xe2\x80\xa2   The CIO receives workbook and associated files.\n\n   \xe2\x80\xa2   The CIO alerts all IRWG reviewers through ePortal.\n\n   \xe2\x80\xa2   IRWG business line members review the workbook submission according\n       to their respective topics for 2 days. Topics include the following:\n\n              \xe2\x88\x92 General\n\n              \xe2\x88\x92 Transition Plan\n\n              \xe2\x88\x92 Architecture\n\n              \xe2\x88\x92 Requirements and Justification\n\n              \xe2\x88\x92 Economic Viability/Budget\n\n              \xe2\x88\x92 Information Assurance\n\n   \xe2\x80\xa2   If problems or a nonconcur are reported by the CIO or IRWG reviewers,\n       the business line portfolio manager and system manager are notified\n       within 1 day.\n\n   \xe2\x80\xa2   If the workbook submission is accepted with comments, the issue is noted\n       for later IRWG review, and the workbook is forwarded.\n\n   \xe2\x80\xa2   If no problems are reported by reviewers, the CIO alerts all IRWG\n       members and ESG.\n\n   \xe2\x80\xa2   IRWG and ESG review the workbook for 1 day and alert CIO staff of a\n       hold if a problem is identified.\n\n   \xe2\x80\xa2   If an IRWG or ESG member has put a hold on the workbook submission,\n       the portfolio manager, business line manager, and system manager resolve\n       the issue within 1 day.\n\n   \xe2\x80\xa2   If the workbook submission is accepted without a hold, the CIO issues the\n       certification letter ending the review process.\n\n\n\n                                   11\n\x0c    On September 2, 2005, the DFAS CIO issued the, \xe2\x80\x9cInvestment Technology\n    Review Process,\xe2\x80\x9d memorandum. Appendix B of this memo contained the IRWG\n    IRB Workbook Review Process. The appendix explained the IRWG process and\n    provided a timeline for the review. It stated that in 3 business days, the IRWG\n    does the following:\n\n        \xe2\x80\xa2   reviews each workbook,\n\n        \xe2\x80\xa2   resolves issues with the business line, and\n\n        \xe2\x80\xa2   provides concurrence or nonconcurrence of the program modernization\n            effort.\n\n    The workbook review procedures do not state how the IRWG reviewers should\n    evaluate workbook responses. The procedures do not specify what supporting\n    documentation to examine, or what specific criteria to apply in analyzing\n    workbook responses.\n\n    The IRWG needs to develop and follow adequate standardized review procedures\n    for the IRB workbooks. These procedures should clearly indicate the specific\n    criteria and documentation that IRWG reviewers should use when determining\n    the validity of the IRB workbook responses. This will ensure that IRB workbook\n    responses accurately reflect compliance with laws such as CCA, DITSCAP, and\n    FFMIA.\n\n\nConclusion\n    The ESG approved the IAPS modernization for $759,000 based on unsupported\n    information. Without adequate standard procedures and controls for\n    modernizations under $1 million, the ESG may continue to approve procurements\n    that are not adequately supported and reviewed. Improving the process will\n    ensure that the ESG has the most reliable system information to make\n    well-informed decisions for business system modernizations under $1 million in\n    the future.\n\n    The IRWG acknowledged the need to improve their investment review process.\n    Based on the issues and concerns expressed to them during the audit, the IRWG is\n    working to refine their investment review process. Specifically, the IRWG stated\n    that they are:\n\n    \xe2\x80\xa2   working to refine the CCA compliance validation process,\n\n    \xe2\x80\xa2   working to refine the FFMIA compliance and validation process, and\n\n    \xe2\x80\xa2   developing FY 2007 guidance and instructions.\n\n\n\n\n                                         12\n\x0cManagement Comments on the Finding and Audit Response\nManagement Comments. The Director, Information and Technology responding for the\nDirector, Defense Finance and Accounting Service partially agreed with the need for\nbetter documentation and did not agree with the conclusion that the IAPS modernization\nwas based on unsupported information. The Director stated that the 2005 NDAA does\nnot direct IRBs to require CCA or FFMIA compliance. In addition, the CCA comments\nin the report note items that the audit team did not review rather than focusing on the\nIRWG\xe2\x80\x99s examination and rationale. However, the Director indicated that actions are in\nprogress to address the CCA and FFMIA concerns identified during the audit.\nFurthermore, the Director disagreed with the conclusion that the DEAR modernization\nwas not supported because an updated SSAA was not in place. However, the Director\nindicated that the SSAA was updated with information about the DEAR modernization in\nSeptember 2006.\n\nAudit Response. We reviewed the DFAS Investment Review Process procedures and\nfound that system managers were required to certify that their systems were aligned with\napplicable policies, laws, and regulations. Specifically, system managers were required\nto indicate if their system was compliant with the CCA, the DITSCAP, and the FFMIA.\nRegarding the Director\xe2\x80\x99s comments on the audit team\xe2\x80\x99s review of CCA compliance,\nIRWG officials stated that they created a requirements table for reviewing IAPS\ncompliance with the CCA. We considered the IRWG examination and rationale in\nauditing the IRB process by examining the contents of the table. As indicated in this\nreport, the IRWG referenced six documents used to validate IAPS compliance with the\nCCA. However, three of the six documents were either not available, not required in the\ncertification package, or did not contain updated information.\n\n\nRecommendations and Management Comments\n   We recommend that the Director, Defense Finance and Accounting Service:\n\n      1. Require that system managers maintain current supporting\n   documentation for the under $1 million Investment Review Board workbook\n   responses for FY 2007 and future years.\n   Management Comments. The Director, Information and Technology responding for\n   the Director, Defense Finance and Accounting Service concurred and stated that for\n   FY 2007, DFAS requires that all modernizations, regardless of the dollar amount,\n   have the same documentation and level of review. Additionally, DFAS established a\n   repository through the DFAS ePortal for system managers to maintain documents for\n   IRWG review.\n\n      2. Develop, and provide to the system managers, detailed instructions on\n   how to complete the under $1 million Investment Review Board workbooks for\n   FY 2007 and future years.\n\n   Management Comments. The Director, Information and Technology responding for\n   the Director, Defense Finance and Accounting Service concurred and stated that for\n\n\n                                           13\n\x0cFY 2007, DFAS provided detailed instructions and procedures for the completion of\nworkbooks. Additionally, DFAS provided mandatory training in the investment\nreview process for system managers. Also, the IRWG provided system managers\nwith points of contact and established a monthly forum for updates and reminders.\n\n    3. Develop and provide adequate standardized review process procedures\nfor the under $1 million Investment Review Board workbooks for FY 2007 and\nfuture years.\n\nManagement Comments. The Director, Information and Technology responding for\nthe Director, Defense Finance and Accounting Service concurred and stated that for\nFY 2007, the IRWG has published standard review criteria, including instructions for\neach topic area of the workbooks, with specific criteria and supporting documentation\nnecessary for a due diligence review. Additionally, DFAS has added subject matter\nexperts to the IRWG to provide better topical coverage of reviews, including CCA,\nDITSCAP, and FFMIA.\n\n\n\n\n                                       14\n\x0cAppendix A. Scope and Methodology\n   We performed the audit at DFAS Headquarters in Arlington, Virginia, and DFAS\n   Denver, Colorado. We reviewed the DFAS Investment Review Process used to\n   approve the obligation of funding for FY 2006 IAPS modernization efforts. We\n   interviewed members of the IRWG as well as the IAPS system manager. We also\n   obtained and reviewed DFAS Investment Review Process procedures and\n   documentation. Specifically, we reviewed charters, designation letters, the\n   FY 2006 IAPS modernization workbook and supplemental documentation.\n\n   We reviewed and compared the procedures and documentation to the following\n   laws, policies, and DFAS guidance related to the Defense business system\n   investment review process. Specifically, we reviewed:\n\n   \xe2\x80\xa2   Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act\n       for FY 2005,\xe2\x80\x9d October 28, 2004;\n\n   \xe2\x80\xa2   Public Law 104-208, \xe2\x80\x9cFederal Financial Management Improvement Act ,\xe2\x80\x9d\n       September 30, 1996;\n\n   \xe2\x80\xa2   Public Law 104-106, \xe2\x80\x9cClinger Cohen Act,\xe2\x80\x9d February 10, 1996;\n\n   \xe2\x80\xa2   DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d\n       May 12, 2003;\n\n   \xe2\x80\xa2   DoD Instruction 5200.4, \xe2\x80\x9cDoD Information Technology Security Certification\n       and Accreditation Process,\xe2\x80\x9d December 30, 1997;\n\n   \xe2\x80\xa2   DoD Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification\n       and Accreditation Process Application Manual,\xe2\x80\x9d July 31, 2000;\n\n   \xe2\x80\xa2   Department of Defense, \xe2\x80\x9cInvestment Review Process Overview and Concepts\n       of Operations For Investment Review Boards,\xe2\x80\x9d May 17, 2005;\n   \xe2\x80\xa2   Department of Defense, \xe2\x80\x9cBusiness Systems Investment Review Proposal\n       Submission Guideline,\xe2\x80\x9d July 15, 2005;\n\n   \xe2\x80\xa2   \xe2\x80\x9cDoD Information Technology Registry Merger Into the DoD Information\n       Technology Portfolio Repository,\xe2\x80\x9d September 28, 2005; and\n\n   \xe2\x80\xa2   DFAS Publication 7900.4G, \xe2\x80\x9cA Guide to Federal Requirements for Financial\n       Management Systems,\xe2\x80\x9d November 2004.\n\n   We performed this audit from March 2006 through August 2006 in accordance\n   with generally accepted government auditing standards. We did not review the\n   management control program as it related to the investment review process\n   because a management control program has not been established for the DFAS\n   investment review process.\n\n\n\n\n                                     15\n\x0cUse of Computer-Processed Data. We did not use computer-processed data to\nperform this audit.\n\nGovernment Accountability Office High-Risk Area. The Government\nAccountability Office has identified several high-risk areas in DoD. This report\nprovides coverage of the DoD Approach to Business Transformation, specifically,\nDoD Financial Management and DoD Business Systems Modernization.\n\nPrior Coverage. No prior coverage has been conducted on IAPS during the last\n5 years.\n\n\n\n\n                                   16\n\x0c Appendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Acquisition Resources and Analysis\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nCommander, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Business Transformation Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\n\n\n\n\n                                          17\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\n\n\n\n\n                                       18\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      19\n\x0c20\n\x0c21\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPaul J. Granetto\nPatricia A. Marsh\nMichael Perkins\nYolanda C. Watts\nKandy T. Adams\nBenjamin Calhoun\nChristian A. Ikeanyi\nMonelle K. Riviere\nShantiki S. Sanders\nJonathan T. Cruz\nMichael E. Williams\nAnn Thompson\n\x0c\x0c'